Vulnerabilities - Yack CVE

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2026-12029 1Google 1Chrome Jun 12, 2026 Jun 11, 2026 N/A· v4 8.3 HIGH· v3 N/A· v2 Use after free in Video in Google Chrome on Windows prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium se...Show more Use after free in Video in Google Chrome on Windows prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)Show less
CVE-2026-12030 1Google 1Chrome Jun 12, 2026 Jun 11, 2026 N/A· v4 8.3 HIGH· v3 N/A· v2 Out of bounds write in GPU in Google Chrome on Android prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium...Show more Out of bounds write in GPU in Google Chrome on Android prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)Show less
CVE-2026-12031 1Google 1Chrome Jun 12, 2026 Jun 11, 2026 N/A· v4 8.3 HIGH· v3 N/A· v2 Inappropriate implementation in Views in Google Chrome on Windows prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page...Show more Inappropriate implementation in Views in Google Chrome on Windows prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)Show less
CVE-2026-12032 1Google 1Chrome Jun 12, 2026 Jun 11, 2026 N/A· v4 3.1 LOW· v3 N/A· v2 Inappropriate implementation in Passwords in Google Chrome on Android prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium...Show more Inappropriate implementation in Passwords in Google Chrome on Android prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High)Show less
CVE-2026-12033 1Google 1Chrome Jun 12, 2026 Jun 11, 2026 N/A· v4 5.3 MEDIUM· v3 N/A· v2 Out of bounds read in VideoCapture in Google Chrome prior to 149.0.7827.115 allowed a remote attacker who had compromised the GPU process to obtain potentially sensitive information from process memory via a crafted HTML...Show more Out of bounds read in VideoCapture in Google Chrome prior to 149.0.7827.115 allowed a remote attacker who had compromised the GPU process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)Show less
CVE-2026-44494 1Axios 1Axios Jun 12, 2026 Jun 11, 2026 N/A· v4 8.7 HIGH· v3 N/A· v2 Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.16.0, the Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution in the ap...Show more Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.16.0, the Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution in the application's dependency tree to be escalated into a full Man-in-the-Middle (MITM) attack — intercepting, reading, and modifying all HTTP traffic including authentication credentials. The HTTP adapter at lib/adapters/http.js:670 reads config.proxy via standard property access, which traverses the prototype chain. Because proxy is not present in Axios defaults, the merged config object has no own proxy property, making it trivially injectable via prototype pollution. Once injected, setProxy() routes all HTTP requests through the attacker's proxy server. This vulnerability is fixed in 1.16.0.Show less
CVE-2026-44496 1Axios 1Axios Jun 12, 2026 Jun 11, 2026 N/A· v4 7.5 HIGH· v3 N/A· v2 Axios is a promise based HTTP client for the browser and Node.js. Axios versions before 0.32.0 on the 0.x line and before 1.16.0 on the 1.x line build a regular expression from the configured XSRF cookie name without esc...Show more Axios is a promise based HTTP client for the browser and Node.js. Axios versions before 0.32.0 on the 0.x line and before 1.16.0 on the 1.x line build a regular expression from the configured XSRF cookie name without escaping regex metacharacters. In standard browser environments, an attacker who can influence the cookie name passed to axios can cause expensive regex backtracking while axios reads document.cookie. The practical impact is client-side availability degradation, such as freezing the affected browser tab while axios prepares a request. The issue does not affect ordinary Node.js HTTP adapter usage, React Native, or web workers, where axios does not read document.cookie. This vulnerability is fixed in 0.32.0 and 1.16.0.Show less
CVE-2026-12034 1Google 1Chrome Jun 12, 2026 Jun 11, 2026 N/A· v4 8.3 HIGH· v3 N/A· v2 Insufficient validation of untrusted input in Linux Toolkit Theming in Google Chrome on Linux prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox es...Show more Insufficient validation of untrusted input in Linux Toolkit Theming in Google Chrome on Linux prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a malicious file. (Chromium security severity: High)Show less
CVE-2026-12035 1Google 1Chrome Jun 12, 2026 Jun 11, 2026 N/A· v4 8.8 HIGH· v3 N/A· v2 Use after free in Views in Google Chrome on Windows prior to 149.0.7827.115 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
CVE-2026-10786 1Devolutions 1Devolutions Server Jun 12, 2026 Jun 8, 2026 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Improper access control in the ticketing integration settings in Devolutions Server allows an authenticated low-privileged user to obtain cleartext credentials for configured ticketing integrations via a crafted API requ...Show more Improper access control in the ticketing integration settings in Devolutions Server allows an authenticated low-privileged user to obtain cleartext credentials for configured ticketing integrations via a crafted API request. This issue affects : * Devolutions Server 2026.2.4.0 * Devolutions Server 2026.1.20.0 and earlierShow less
CVE-2026-10787 1Devolutions 1Devolutions Server Jun 12, 2026 Jun 8, 2026 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Missing authorization in the deleted user groups API in Devolutions Server allows an authenticated low-privileged user to enumerate metadata of deleted user groups via a crafted API request. This issue affects : * D...Show more Missing authorization in the deleted user groups API in Devolutions Server allows an authenticated low-privileged user to enumerate metadata of deleted user groups via a crafted API request. This issue affects : * Devolutions Server 2026.2.4.0 * Devolutions Server 2026.1.20.0 and earlierShow less
CVE-2026-45608 1Microsoft 13Windows 10 1607 Windows 10 1809Windows 10 21h2+10 more Jun 12, 2026 Jun 9, 2026 N/A· v4 6.8 MEDIUM· v3 N/A· v2 Out-of-bounds read in Windows DHCP Server allows an authorized attacker to disclose information locally.
CVE-2026-46475 1Flowiseai 1Flowise Jun 12, 2026 Jun 8, 2026 7.7 HIGH· v4 8.8 HIGH· v3 N/A· v2 Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, assistant create and update mass-assignment allows cross-workspace assistant takeover. This issue has been...Show more Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, assistant create and update mass-assignment allows cross-workspace assistant takeover. This issue has been patched in version 3.1.2.Show less
CVE-2026-45634 1Microsoft 13Windows 10 1607 Windows 10 1809Windows 10 21h2+10 more Jun 12, 2026 Jun 9, 2026 N/A· v4 5.5 MEDIUM· v3 N/A· v2 Out-of-bounds read in Windows DHCP Server allows an authorized attacker to disclose information locally.
CVE-2026-47289 1Microsoft 14Windows 10 1607 Windows 10 1809Windows 10 21h2+11 more Jun 12, 2026 Jun 9, 2026 N/A· v4 8.8 HIGH· v3 N/A· v2 Heap-based buffer overflow in Remote Desktop Client allows an unauthorized attacker to execute code over a network.
CVE-2026-47653 1Microsoft 13Windows 10 1607 Windows 10 1809Windows 10 21h2+10 more Jun 12, 2026 Jun 9, 2026 N/A· v4 8.8 HIGH· v3 N/A· v2 Heap-based buffer overflow in Remote Desktop Client allows an unauthorized attacker to execute code over a network.
CVE-2026-47654 1Microsoft 4Windows Server 2016 Windows Server 2019Windows Server 2022+1 more Jun 12, 2026 Jun 9, 2026 N/A· v4 7.5 HIGH· v3 N/A· v2 Heap-based buffer overflow in Remote Desktop Client allows an unauthorized attacker to execute code over a network.
CVE-2026-12011 1Google 1Chrome Jun 12, 2026 Jun 11, 2026 N/A· v4 8.3 HIGH· v3 N/A· v2 Use after free in WebMIDI in Google Chrome on Windows prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium...Show more Use after free in WebMIDI in Google Chrome on Windows prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)Show less
CVE-2026-44801 1Microsoft 15Remote Desktop Client Windows 10 1607Windows 10 1809+12 more Jun 12, 2026 Jun 9, 2026 N/A· v4 7.5 HIGH· v3 N/A· v2 Heap-based buffer overflow in Remote Desktop Client allows an unauthorized attacker to execute code over a network.
CVE-2026-12010 1Google 1Chrome Jun 12, 2026 Jun 11, 2026 N/A· v4 8.3 HIGH· v3 N/A· v2 Heap buffer overflow in GPU in Google Chrome on Android prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromiu...Show more Heap buffer overflow in GPU in Google Chrome on Android prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)Show less
CVE-2026-12009 1Google 1Chrome Jun 12, 2026 Jun 11, 2026 N/A· v4 8.3 HIGH· v3 N/A· v2 Insufficient validation of untrusted input in Accessibility in Google Chrome on Mac prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a...Show more Insufficient validation of untrusted input in Accessibility in Google Chrome on Mac prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)Show less
CVE-2026-50091 - - Jun 12, 2026 Jun 12, 2026 N/A· v4 9.1 CRITICAL· v3 N/A· v2 Aqara Home Android (com.lumiunited.aqarahome) 6.0.0 (and white-label clients embedding the same liblumidevsdk.so) uses hard-coded cryptographic keys, which is an instance of "CWE-321: Use of Hard-coded Cryptographic Key"...Show more Aqara Home Android (com.lumiunited.aqarahome) 6.0.0 (and white-label clients embedding the same liblumidevsdk.so) uses hard-coded cryptographic keys, which is an instance of "CWE-321: Use of Hard-coded Cryptographic Key" and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N (9.1 Critical).Show less
CVE-2026-50090 - - Jun 12, 2026 Jun 12, 2026 N/A· v4 9.3 CRITICAL· v3 N/A· v2 The Aqara Cloud OAuth Authorization Endpoint (open-cn.aqara.com/oauth/authorize) is vulnerable to a redirect bypass due to lax controls on domain matching, which is an instance of "CWE-1289: Improper Validation of Unsafe...Show more The Aqara Cloud OAuth Authorization Endpoint (open-cn.aqara.com/oauth/authorize) is vulnerable to a redirect bypass due to lax controls on domain matching, which is an instance of "CWE-1289: Improper Validation of Unsafe Equivalence in Input" and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N (9.3 Critical).Show less
CVE-2026-50089 - - Jun 12, 2026 Jun 12, 2026 N/A· v4 6.1 MEDIUM· v3 N/A· v2 The Aqara IAM/SSO Gateway (gw-builder.aqara.com) provides an open redirect, which is an instance of "CWE-601: URL Redirection to Untrusted Site," with an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (6....Show more The Aqara IAM/SSO Gateway (gw-builder.aqara.com) provides an open redirect, which is an instance of "CWE-601: URL Redirection to Untrusted Site," with an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (6.1 Medium), which can be used to set up a phishing attack.Show less
CVE-2026-50088 - - Jun 12, 2026 Jun 12, 2026 N/A· v4 8.2 HIGH· v3 N/A· v2 The Aqara Developer Portal (developer.aqara.com) and shared test environments (developer-test.aqara.com, aiot-test.aqara.com) exhibit cross-origin request sharing, which is an instance of "CWE-942: Permissive Cross-domai...Show more The Aqara Developer Portal (developer.aqara.com) and shared test environments (developer-test.aqara.com, aiot-test.aqara.com) exhibit cross-origin request sharing, which is an instance of "CWE-942: Permissive Cross-domain Policy with Untrusted Domains," and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N (8.2 High).Show less

Previous 1...545556...14337 Next

Vulnerabilities (CVE)